[Icecast-dev] upcoming libshout beta/snapshot
Roger Hågensen
rh_icecast at skuldwyrm.no
Mon Apr 27 05:41:46 PDT 2015
On 2015-04-26 18:15, Philipp Schafft wrote:
> I tested with both Mozilla's 'Modern' and 'Intermediate' list. Both
> work well with all versions of Icecast (official) as well as current -kh.
>
In that case my suggestion is for libshout to only focus on using the
Modern list then as it explicitly excludes DES and RC4 and MD5.
While HMAC-MD5 (for some password uses) and filehashing (as a
alternative to CRC32) use is still fine any other use of MD5 is
potentially vulnerable.
RC4 (the original) has a weakness with the first n bytes of the stream,
so unless it's the modified RC4 then that really shouldn't be used either.
And DES is very old and AFAIK the key size is tiny on DES, though 3DES
is a little better but still old too).
BTW! Could libshout simplify the cipher list further than Modern?
If it's not too much too ask, could your re-run the tests only this time
with SHA256 ciphers as the minimum (in other words excluding SHA / SHA1).
SHA1 should not really be used if it can be avoided (it's still fine for
HMAC-SHA1 though and as a CRC32 filechecksum alternative) as some known
weaknesses exists.
Also is it possible to use TLSv1.2 only? (in other words excluding TLSv1.1)
By the looks of it TLSv1.2 uses SHA256 for all ciphers (basically
excluding the use of MD5/SHA1).
So if TLSv1.2 works fine with Icecast then those old hash methods can be
avoided fully.
--
Roger Hågensen, Freelancer, http://skuldwyrm.no/
More information about the Icecast-dev
mailing list